Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It’ll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects’ codebases.
While it’s important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don’t continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That’s when hackers don’t target the code directly controlled by Google itself but go after these third-party dependencies instead.
Open-source libraries can sometimes be used as a trojan horse into bigger projects
As SolarWinds showed, this type of attack isn’t limited to open-source projects. But in the past few years, we’ve seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector — Google itself has begun vetting and distributing a subset of popular open-source programs, but it’s almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.
According to Google’s rules, payouts from the Open Source Software Vulnerability Rewards Program will depend on the severity of the bug, as well as the importance of the project it was found in (Fuchsia and the like are considered “flagship” projects and thus have the biggest payouts). There are also some additional rules around bounties for supply chain vulnerabilities — researchers will have to inform whoever’s actually in charge of the third-party project first before telling Google. They also have to prove that the issue affects Google’s project; if there’s a bug in a part of the library the company’s not using, it won’t be eligible for the program.
“Researchers can now be rewarded for finding bugs that could potentially impact the entire open source ecosystem.”
Google also says that it doesn’t want people poking around at third-party services or platforms it uses for its open-source projects. If you find an issue with how its GitHub repository is configured, that’s fine; if you find an issue with GitHub’s login system, that’s not covered. (Google says it can’t authorize people to “conduct security research of assets that belong to other users and companies on their behalf.”)
For researchers who aren’t motivated by money, Google offers to donate their rewards to a charity picked by the researcher — the company even says it’ll double those donations.
Obviously, this isn’t Google’s first crack at a bug bounty — it had some form of vulnerability reward program for over a decade. But it’s good to see that the company’s taking action on a problem that it’s been raising the alarm about. Earlier this year, in the wake of the Log4Shell exploit found in the popular open-source Log4j library, Google said the US government needs to be more involved in finding and dealing with security issues in critical open-source projects. Since then, as BleepingComputer notes, the company has temporarily bumped up payouts for people who find bugs in certain open-source projects like Kubernetes and the Linux kernel.